I am getting an unauthorized shutdown, it shuts down and restarts at random times. I have run AdAware, Spybot S&D, Windows Defender several times and the issue persists. I have run Hijack this and am pasting my logfile. In advance, thanks for your help.



My startup list

Hello mpm32 and Welcome to TomCoyote,

Please do the following:

Disable Microsoft Windows Defender:
We need to disable your Microsoft Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

• Open Microsoft Windows Defender. Click Start, Programs, Windows Defender
• Click on Tools, General Settings.
• Under Real-time protection options, unselect the Turn on real-time protection check box
• Click Save

After all of the fixes are complete it is very important that you enable Real-time Protection again.

Disable Winpatrol:
Please disable Winpatrol as it may hinder the removal of some entries.
Right click the running icon of Winpatrol, and choose exit.

After all of the fixes are complete it is very important that you enable WinPatrol again.

STEP 1.
======
CWShredder

Please download and run CWShredder
Make sure that all browser windows are closed with the exception of Cwshredder and choose FIX.

Scan with HijackThis. Place a check against each of the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - URLSearchHook: (no name) - - (no file)
Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis.

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

• Install AVG Anti-Spyware by double clicking the installer.
• Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
• On the main screen under Your Computer's security
  • Click on Change state next to Resident shield. It should now change to inactive.
  • Click on Change state next to Automatic updates. It should now change to inactive.
  • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
  • Wait until you see the Update succesfull message.
• Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit.
• Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update AVG Anti-spyware.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
______________________________

Reboot your computer in Safe Mode.

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
• Ensure that the Safe Mode option is selected.
• Press Enter. The computer then begins to start in Safe mode.
• Login on your usual account.

______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

• Click on Scanner on the toolbar.
• Click on the Settings tab.
  • Under How to act?
    • Click on Recommended Action and choose Quarantine from the popup menu.
  • Under How to scan?
    • All checkboxes should be ticked.
  • Under Possibly unwanted software:
    • All checkboxes should be ticked.
  • Under Reports:
    • Select Automatically generate report after every scan and uncheck Only if threats were found.
  • Under What to scan?
    • Select Scan every file.
• Click on the Scan tab.
• Click on Complete System Scan to start the scan process.
• Let the program scan the machine.
• When the scan has finished, follow the instructions below.
  IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
  • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
  • At the bottom of the window click on the Apply all Actions button. (3)
    
• When done, click the Save Scan Report button. (4)
  • Click the Save Report as button.
  • Save the report to your Desktop.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.
______________________________

Please post:

• AVG Anti-spyware log
• A new HijackThis log

Your may need several replies to post the requested logs, otherwise they might get cut off. Please let me know what problems you are experiencing with your computer.

Thanks for the advice so far. I followed the instructions above,

Here is the AVG log;



Here is a new Hijackthis log

Hi mpm32,

Your logs look much better. How is your computer working now? I would like to check a few more things.

Please do the following:

STEP 1.
======
GMER
Please create a new subfolder in the Program Files folder called GMER. If you have an older version of GMER installed, you must delete it.

• Download GMER and extract it to the C:\program files\GMER folder.
  
• Please rename the GMER file
  Note: You can rename gmer.exe to anything you like as long as you keep the .exe ending.
  Run the Gmer.exe renamed program by double-clicking the executable file (gmer.exe) in Windows Explorer.
  You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "yes" to begin the scan.
  • If you are not prompted, Click the "Rootkit" tab, then click "Scan".

At the end of the scan, click "Copy" to copy the scan results to the clipboard. Then paste the results in a notepad file and also paste them back in your next reply.

Please post (reply) with the results from the GMER scan, and a fresh hijackthis log.

STEP 2.
======
Combofix

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please post the GMER results, the ComboFix log and a new hijackthis log.

I am having a problem getting thru the GMER scan. At around the registry\machine\system\controlinterfaces\.... something causes the system to crash to "A problem has been detected and windows has been shut down to prevent futher damage...." So, I copied a log file prior to the crash, both when running in safe mode and regular mode. Also, under the windows folder I have around 50+files with this naming convention - $NTUninstallkB896423$ are these files normal?

Here is one of the GMER logs;

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-01-15 09:28:14
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

SYSENTER \??\C:\WINDOWS\system32:huy32.sys AA73AC4A

Code \??\C:\WINDOWS\system32:huy32.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.12 ----

.text ntkrnlpa.exe!Kei386EoiHelper + 4E6 80541382 3 Bytes [ BD, 15, 6C ]
.text tcpip.sys!IPTransmit + 10FC AA3CDD3A 6 Bytes CALL AA73CA13 \??\C:\WINDOWS\system32:huy32.sys
.text tcpip.sys!IPTransmit + 2850 AA3CF48E 6 Bytes CALL AA73CA13 \??\C:\WINDOWS\system32:huy32.sys
.text tcpip.sys!ARPRcv + 5029 AA3D44DC 6 Bytes CALL AA73CA13 \??\C:\WINDOWS\system32:huy32.sys
.text wanarp.sys F77E33FD 7 Bytes CALL AA73CA1D \??\C:\WINDOWS\system32:huy32.sys

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!NlsMbOemCodePageTag + FFF84FE8 7C901000 9 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlEnterCriticalSection + 7 7C90100C 7 Bytes [ 00, 00, 00, 00, 00, 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlEnterCriticalSection + F 7C901014 18 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlEnterCriticalSection + 24 7C901029 4 Bytes [ 00, 00, 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlEnterCriticalSection + 29 7C90102E 3 Bytes [ 00, 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlEnterCriticalSection + 30 7C901035 15 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text ...
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlLeaveCriticalSection + 17 7C901104 5 Bytes [ 00, 00, 00, 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlLeaveCriticalSection + 1D 7C90110A 4 Bytes [ 00, 00, 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlLeaveCriticalSection + 22 7C90110F 4 Bytes [ 00, 00, 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlLeaveCriticalSection + 2A 7C901117 3 Bytes [ 00, 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlLeaveCriticalSection + 31 7C90111E 6 Bytes [ 00, 00, 00, 00, 00, 00 ]
.text ...
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlTryEnterCriticalSection + E 7C901139 10 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlTryEnterCriticalSection + 1B 7C901146 7 Bytes [ 00, 00, 00, 00, 00, 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlTryEnterCriticalSection + 25 7C901150 2 Bytes [ 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlTryEnterCriticalSection + 2A 7C901155 2 Bytes [ 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlTryEnterCriticalSection + 2D 7C901158 3 Bytes [ 00, 00, 00 ]
.text ...
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!LdrInitializeThunk + F 7C90118D 34 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!LdrInitializeThunk + 32 7C9011B0 15 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlActivateActivationContextUnsafeFast + D 7C9011C2 4 Bytes [ 00, 00, 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlActivateActivationContextUnsafeFast + 13 7C9011C8 9 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlActivateActivationContextUnsafeFast + 1E 7C9011D3 6 Bytes [ 00, 00, 00, 00, 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlActivateActivationContextUnsafeFast + 26 7C9011DB 6 Bytes [ 00, 00, 00, 00, 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlActivateActivationContextUnsafeFast + 2D 7C9011E2 4 Bytes [ 00, 00, 00, 00 ]
.text ... .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlDeactivateActivationContextUnsafeFast + F 7C901209 6 Bytes [ 00, 00, 00, 00, 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlDeactivateActivationContextUnsafeFast + 16 7C901210 10 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlDeactivateActivationContextUnsafeFast + 22 7C90121C 8 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlDeactivateActivationContextUnsafeFast + 2C 7C901226 4 Bytes [ 00, 00, 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlDeactivateActivationContextUnsafeFast + 31 7C90122B 31 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!DbgUserBreakPoint + 12 7C90124B 8 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!NtCurrentTeb + 6 7C901256 17 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlInitString + F 7C90126B 20 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlInitString + 25 7C901281 5 Bytes [ 00, 00, 00, 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlInitString + 2C 7C901288 11 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlInitString + 38 7C901294 16 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlInitAnsiString + F 7C9012A8 20 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlInitAnsiString + 25 7C9012BE 5 Bytes [ 00, 00, 00, 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlInitAnsiString + 2C 7C9012C5 11 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlInitAnsiString + 38 7C9012D1 16 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlInitUnicodeString + F 7C9012E5 23 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlInitUnicodeString + 28 7C9012FE 5 Bytes [ 00, 00, 00, 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlInitUnicodeString + 2F 7C901305 12 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!RtlInitUnicodeString + 3C 7C901312 15 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_CIcos + B 7C901322 2 Bytes [ 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_CIcos + 10 7C901327 12 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!cos + 9 7C901334 35 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!cos + 2D 7C901358 5 Bytes [ 00, 00, 00, 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!cos + 33 7C90135E 2 Bytes [ 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!cos + 38 7C901363 10 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!cos + 43 7C90136E 26 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text ...
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_CIlog + B 7C9013DE 2 Bytes [ 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_CIlog + 10 7C9013E3 12 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_CIlog + 1D 7C9013F0 26 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_CIlog + 39 7C90140C 5 Bytes [ 00, 00, 00, 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_CIlog + 41 7C901414 15 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text ...
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_CIpow + 15 7C9014CC 12 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_CIpow + 22 7C9014D9 19 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_CIpow + 36 7C9014ED 2 Bytes [ 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_CIpow + 3A 7C9014F1 8 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_CIpow + 44 7C9014FB 5 Bytes [ 00, 00, 00, 00, 00 ]
.text ...
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_CIsin + B 7C9016D6 2 Bytes [ 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_CIsin + 10 7C9016DB 12 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!sin + 9 7C9016E8 35 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!sin + 2D 7C90170C 5 Bytes [ 00, 00, 00, 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!sin + 33 7C901712 2 Bytes [ 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!sin + 38 7C901717 10 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!sin + 43 7C901722 26 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text ...
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_CIsqrt + B 7C901789 2 Bytes [ 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_CIsqrt + 10 7C90178E 12 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!sqrt + 9 7C90179B 23 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!sqrt + 21 7C9017B3 1 Byte [ 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!sqrt + 25 7C9017B7 11 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!sqrt + 31 7C9017C3 5 Bytes [ 00, 00, 00, 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!sqrt + 37 7C9017C9 2 Bytes [ 00, 00 ]
.text ...
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_alldiv + 19 7C901856 27 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_alldiv + 35 7C901872 110 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_alldiv + A4 7C9018E1 5 Bytes [ 00, 00, 00, 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_alldiv + AA 7C9018E7 32 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_alldvrm + 1C 7C901908 27 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_alldvrm + 38 7C901924 140 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_alldvrm + C5 7C9019B1 19 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_alldvrm + D9 7C9019C5 5 Bytes [ 00, 00, 00, 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_alldvrm + DF 7C9019CB 29 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_allmul + 19 7C9019E9 26 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_allmul + 34 7C901A04 6 Bytes [ 00, 00, 00, 00, 00, 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_alloca_probe + 2 7C901A0B 1 Byte [ 00 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_alloca_probe + 5 7C901A0E 10 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3080] ntdll.dll!_alloca_probe + 10 7C901A19 2 Bytes [ 00, 00 ]

There are 21,483 lines in this scan, far to many to post here.
Here is the 2nd scan

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-01-15 09:55:32
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

SYSENTER \??\C:\WINDOWS\system32:huy32.sys AA73AC4A

Code \??\C:\WINDOWS\system32:huy32.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.12 ----

.text ntkrnlpa.exe!Kei386EoiHelper + 4E6 80541382 3 Bytes [ BD, 15, 6C ]
.text tcpip.sys!IPTransmit + 10FC AA3CDD3A 6 Bytes CALL AA73CA13 \??\C:\WINDOWS\system32:huy32.sys
.text tcpip.sys!IPTransmit + 2850 AA3CF48E 6 Bytes CALL AA73CA13 \??\C:\WINDOWS\system32:huy32.sys
.text tcpip.sys!ARPRcv + 5029 AA3D44DC 6 Bytes CALL AA73CA13 \??\C:\WINDOWS\system32:huy32.sys
.text wanarp.sys F77F33FD 7 Bytes CALL AA73CA1D \??\C:\WINDOWS\system32:huy32.sys

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE A8565C8A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE A85627C8
Device \FileSystem\Fastfat \Fat IRP_MJ_READ A855E60A
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE A855EAED
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION A8569958
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION A856C821
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA A857538A
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA A8574D49
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS A856EBBE
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION A856F331
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION A857D4F4
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL A8565B37
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL A8561948
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL A856B46B
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN A857C79D
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL A857BC4A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP A85622FD
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP A857C1DB
Device \FileSystem\Fastfat \Fat FastIoCheckIfPossible A85771F9
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [A9B13D30] tfsnifs.sys

---- Services - GMER 1.0.12 ----

Service C:\WINDOWS\system32:huy32.sys (*** hidden *** ) [SYSTEM] huy32 <-- ROOTKIT !!!

Here is the combofix log;
"Mark" - 07-01-15 9:32:16 Service Pack 2
ComboFix 07-01-15 - Running from: "C:\Documents and Settings\Mark\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\11586343.exe
C:\WINDOWS\61796.exe
C:\WINDOWS\90260328.exe
C:\DOCUME~1\Mark\Application Data\Install.dat
C:\WINDOWS\system32\bszip.dll
C:\x.txt


((((((((((((((((((((((((((((((( Files Created from 2006-12-15 to 2007-01-15 ))))))))))))))))))))))))))))))))))


2007-01-15 09:07 80 --a------ C:\WINDOWS\gmer_uninstall.cmd
2007-01-15 09:04 <DIR> d-------- C:\Program Files\GMER
2007-01-15 00:11 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-15 00:11 <DIR> d-------- C:\Program Files\Grisoft
2007-01-14 23:33 <DIR> d-------- C:\Program Files\PCPitstop
2007-01-14 23:33 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-01-14 20:19 <DIR> d-------- C:\Program Files\Windows Defender
2007-01-14 19:53 <DIR> d-------- C:\DOCUME~1\Mark\Application Data\WinPatrol
2007-01-14 19:50 <DIR> d-------- C:\Program Files\BillP Studios
2007-01-14 19:41 106 --a------ C:\delete.bat
2007-01-11 07:23 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-01-11 07:23 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-01-07 19:37 <DIR> d-------- C:\WINDOWS\Profiles
2007-01-07 19:37 <DIR> d-------- C:\DOCUME~1\Mark\Application Data\InterTrust
2007-01-07 19:36 69,632 --a------ C:\WINDOWS\system32\hcwsched.dll
2007-01-07 19:36 65,603 --a------ C:\WINDOWS\system32\hcwIRblast.dll
2007-01-07 19:36 65,536 --a------ C:\WINDOWS\system32\dmcrypto.dll
2007-01-07 19:36 286,720 --a------ C:\WINDOWS\system32\hcwzblast.dll
2007-01-07 19:36 <DIR> d-------- C:\WINDOWS\system32\hauppauge
2007-01-07 19:35 94,264 --a------ C:\WINDOWS\system32\hcwi2c32.dll
2007-01-07 19:35 90,174 --a------ C:\WINDOWS\system32\bt848wst.dll
2007-01-07 19:35 524,353 --a------ C:\WINDOWS\system32\HCWTVWND.dll
2007-01-07 19:35 229,432 --a------ C:\WINDOWS\system32\hcwpnp32.dll
2007-01-07 19:35 12,288 --a------ C:\WINDOWS\system32\btgpio32.dll
2007-01-07 19:35 11,264 --a------ C:\WINDOWS\system32\hcwhook.dll
2007-01-07 19:35 106,559 --a------ C:\WINDOWS\system32\Hcwtvdlg.dll
2007-01-07 19:35 <DIR> d-------- C:\MyVideos
2007-01-07 19:34 393,216 --a------ C:\WINDOWS\system32\hcwsnbd9.dll
2007-01-07 19:34 213,050 --a------ C:\WINDOWS\system32\Hcwchan.dll
2007-01-07 19:34 <DIR> d-------- C:\Program Files\WinTV
2007-01-07 19:33 472,644 -ra------ C:\WINDOWS\system32\drivers\HCWBT8XX.sys
2007-01-07 19:33 36,921 --------- C:\WINDOWS\system32\hcwutl32.dll
2007-01-07 18:53 <DIR> d-------- C:\WINDOWS\system32\ODCTOOLS
2007-01-07 18:20 <DIR> d-------- C:\DOCUME~1\Mark\Application Data\Apple Computer
2006-12-31 16:43 <DIR> d-------- C:\Program Files\DVD Identifier
2006-12-29 19:33 <DIR> d-------- C:\WINDOWS\MVUNINST
2006-12-29 19:33 <DIR> d-------- C:\Program Files\Memorex exPressit Label Design Studio
2006-12-29 19:33 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2006-12-28 16:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2006-12-25 18:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Apple Computer
2006-12-25 14:02 <DIR> d-------- C:\Program Files\THQ
2006-12-25 11:09 <DIR> d-------- C:\DOCUME~1\Lili\Application Data\Corel
2006-12-25 10:43 <DIR> d-------- C:\Program Files\TABLET
2006-12-21 21:05 <DIR> d-------- C:\WINDOWS\em3kfiles
2006-12-19 21:12 <DIR> d-------- C:\DOCUME~1\Lili\Application Data\Lavasoft
2006-12-18 18:28 <DIR> d-------- C:\DOCUME~1\Amie\Application Data\Lavasoft
2006-12-15 17:01 <DIR> d-------- C:\Program Files\EASEUS


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-14 17:25 4184 --a------ C:\WINDOWS\system32\kgygaavl.sys
2007-01-14 17:25 104 -r-hs---- C:\WINDOWS\system32\712d88b994.sys
2007-01-14 14:41 -------- d-------- C:\Program Files\quicktime
2007-01-13 22:26 -------- d-------- C:\Program Files\quicken
2007-01-13 09:29 -------- d--h----- C:\Program Files\installshield installation information
2007-01-13 09:28 -------- d-------- C:\Program Files\disney interactive
2007-01-10 07:11 115880 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-01-10 07:11 114856 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-01-10 07:10 36528 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-01-07 19:37 -------- d-------- C:\Program Files\Common Files\adobe
2007-01-07 18:30 -------- d-------- C:\Program Files\Common Files\caere
2006-12-29 20:11 -------- d-------- C:\Program Files\dell
2006-12-27 21:56 -------- d-------- C:\Program Files\yahoo!
2006-12-27 21:54 -------- d-------- C:\Program Files\google
2006-12-25 11:06 -------- d-------- C:\Program Files\corel
2006-12-09 17:15 -------- d-------- C:\Program Files\arcsoft
2006-12-09 17:13 -------- d-------- C:\Program Files\caere
2006-12-09 17:00 -------- d-------- C:\DOCUME~1\Mark\Application Data\canon
2006-12-06 23:14 2330624 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-06 14:33 -------- d-------- C:\Program Files\partygaming
2006-11-29 12:51 -------- d-------- C:\Program Files\partygaming.net
2006-11-24 11:03 -------- d-------- C:\Program Files\virtools web player 3.5
2006-11-24 11:03 -------- d-------- C:\Program Files\virtools
2006-11-08 00:06 679424 --------- C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-19 08:56 713216 --a------ C:\WINDOWS\system32\sxs.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"OE_OEM"="\"C:\\Program Files\\Trend Micro\\Internet Security 12\\TMAS_OE\\TMAS_OEMon.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"SigmatelSysTrayApp"="stsystra.exe"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~3\\mimboot.exe"
"MMTray"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\""
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 12\\pccguide.exe\""
"PDUiP6600DMon"="C:\\Program Files\\Canon\\Memory Card Utility\\iP6600D\\PDUiP6600DMon.exe"
"SSRunScript"="\"C:\\Program Files\\Support.com\\Charter\\bin\\SSRunScript.exe\" /script \"C:\\Program Files\\Support.com\\Charter\\vbs\\verifyconnection.vbs\" /args //b startupdelay"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"SchedulingAgent"="C:\\WINDOWS\\system32\\mstask.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
Shell\AutoRun\command E:\setup.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 07-01-15 9:36:20


Here is the new hijack this log;

Logfile of HijackThis v1.99.1
Scan saved at 10:10:18 AM, on 1/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\WinTV\Ir.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\PdeSrv2.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Mark\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?lc=1033&id=6528
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\system32\mstask.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://notesdancl1.pb.com/iNotes6W.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137209401114
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...0/installer.exe
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://usextranet.aigfpc.com/dana-cached/s...perSetupSP1.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\Drivers\WTSRV.EXE


Once again thanks for your help.

It is now rebooting again with the NT Authority/System when ever I run AVG scans.

Hello mpm32,

GMER found a rootkit.

Please do the following:

Blacklight

Download Blacklight trial from here:
http://www.f-secure.com/blacklight/

• Hit I accept. It will take you to download page.
• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of log.
=========
Please download The Avenger by Swandog46 to the Desktop.
Click on Avenger.zip to open the file
Then, extract avenger.exe to the Desktop

Next, copy all the blue text below to the Clipboard by highlighting it and pressing Ctrl+C:

Files to delete:
C:\WINDOWS\system32\huy32.sys

Drivers to unload:
huy32


Start The Avenger program by clicking its icon on the Desktop.
Under: Script file to execute, select: Input Script Manually
Now click on the Magnifying Glass icon
It opens a new window titled: View/edit script
Paste the text copied to clipboard into this window by pressing Ctrl+V.
Click Done

Next, click on the Green Light to begin the execution of the script
Answer Yes twice when prompted.

The Avenger automatically does following:
Restarts the computer.
On reboot, briefly opens a black command window on the Desktop. This is normal.

After the restart, it creates a log that opens with the results of Avenger’s actions.
This log is located at C:\avenger.txt

Please post contents of the blacklight log and the C:\avenger.txt in your reply.

Here is the blacklight log;

01/15/07 18:17:31 [Info]: BlackLight Engine 1.0.55 initialized
01/15/07 18:17:31 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/15/07 18:17:31 [Note]: 7019 4
01/15/07 18:17:31 [Note]: 7005 0
01/15/07 18:17:31 [Note]: 7006 0
01/15/07 18:17:31 [Note]: 7011 1896
01/15/07 18:17:31 [Note]: 7026 0
01/15/07 18:17:32 [Note]: 7026 0
01/15/07 18:17:42 [Note]: FSRAW library version 1.7.1021
01/15/07 18:24:07 [Note]: 7007 0

Avenger didn't seen to run fully, the pc crashed then rebooted. Here is that log;

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\hifwjkkc

*******************

Script file located at: \??\C:\WINDOWS\ytniwcyb.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\huy32.sys not found!
Deletion of file C:\WINDOWS\system32\huy32.sys failed!

Could not process line:
C:\WINDOWS\system32\huy32.sys
Status: 0xc0000034

Driver huy32 unloaded successfully.

Completed script processing.

*******************

Finished! Terminate.

Thanks, what's next?

It seemed to find the driver. Please run GMER again. I am curious if the Rootkit is detected. Be sure and save the log.

I am going to consult with some others about this.

Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Standard
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan:
• Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.

Please copy and paste that information AboutBuster and from Kapersky in your reply.

This post has been edited by Susan528: Jan 16 2007, 08:47 AM

Here is the latest Gmer log;

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-01-15 20:17:14
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE 86607C8A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE 866047C8
Device \FileSystem\Fastfat \Fat IRP_MJ_READ 8660060A
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE 86600AED
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION 8660B958
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION 8660E821
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA 8661738A
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA 86616D49
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS 86610BBE
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION 86611331
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION 8661F4F4
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL 86607B37
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL 86603948
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL 8660D46B
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN 8661E79D
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL 8661DC4A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP 866042FD
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP 8661E1DB
Device \FileSystem\Fastfat \Fat FastIoCheckIfPossible 866191F9
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [A9F78D30] tfsnifs.sys

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\Amie\Local Settings\Temporary Internet Files\Content.IE5\ABA94N4V\master:GLP016[1].jpg
ADS C:\Documents and Settings\Amie\Local Settings\Temporary Internet Files\Content.IE5\H0WV9HWH\inuse:GLP019[1].jpg
ADS C:\WINDOWS\system32:huy32.sys

---- EOF - GMER 1.0.12 ----


And the Kapersky scan log;

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, January 15, 2007 9:40:39 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 16/01/2007
Kaspersky Anti-Virus database records: 244186
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 111088
Number of viruses found: 5
Number of infected objects: 12 / 0
Number of suspicious objects: 2
Duration of the scan process: 01:04:18

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\552c4f10c7bc7882704d1e7e1cbf28ee_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-01142007-201932.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip/drsmartload1.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\Amie\Local Settings\Temporary Internet Files\Content.IE5\ABA94N4V\in[1] Infected: Trojan-PSW.Win32.Small.bs skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mark\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\MSN\db\mpm32-msn-com.280/[From "eBay Member: mpm32004" <member@ebay.com>][Date Thu, 5 May 2005 05:24:30 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\MSN\db\mpm32-msn-com.280 Mail: infected - 1 skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\MSN\db\mpm32-msn-com.282/[From "eBay Member: mpm32004" <member@ebay.com>][Date Tue, 17 May 2005 18:59:42 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\MSN\db\mpm32-msn-com.282 Mail: infected - 1 skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{7D26AF48-3063-44B7-8668-4A6AF3C0BC63} Object is locked skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{7D947CF3-24BC-4CFC-807F-AA42195FC39D} Object is locked skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{88044787-6BF3-48FA-9C31-4C827168503B} Object is locked skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{DEA85E82-7B33-4D4F-94A0-9FB04CFBCEB2} Object is locked skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{EB13F748-5C83-41FD-A13B-8FE49D368B54} Object is locked skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Musicmatch\Jukebox\Portables.log Object is locked skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped
C:\Documents and Settings\Mark\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mark\Local Settings\History\History.IE5\MSHist012007011520070116\index.dat Object is locked skipped
C:\Documents and Settings\Mark\Local Settings\Temp\JETE7EA.tmp Object is locked skipped
C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mark\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Mark\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mark\Shared\(Crack) easyrecorder.ace/toolBar.exe Infected: Trojan-Downloader.Win32.IstBar.nj skipped
C:\Documents and Settings\Mark\Shared\(Crack) easyrecorder.ace ACE: infected - 1 skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP389\A0040573.EXE Infected: Trojan-Downloader.Win32.Agent.bda skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP389\A0040574.exe Infected: Trojan-Downloader.Win32.Agent.bda skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP389\A0042630.exe Infected: Trojan-PSW.Win32.Small.bs skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP389\A0042631.exe Infected: Trojan-PSW.Win32.Small.bs skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP389\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\em3kfiles\install.exe Infected: Trojan-PSW.Win32.Small.bs skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{85A35CE6-03D8-4E84-AAFB-D97FF2E3D983}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Thanks.

==========
This will delete the temporary internet files which contain infected files.

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose:Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click
• No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE:If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

=============
Please set your system to show all files; please see here if you're unsure how to do this.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\Documents and Settings\Mark\Shared\(Crack) easyrecorder.ace<=file
C:\WINDOWS\em3kfiles\install.exe<=file
Exit Explorer, and reboot as normal afterwards.

================
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\MSN\db\mpm32-msn-com.280/[From "eBay Member: mpm32004" <member@ebay.com>][Date Thu, 5 May 2005 05:24:30 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\MSN\db\mpm32-msn-com.280 Mail: infected - 1 skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\MSN\db\mpm32-msn-com.282/[From "eBay Member: mpm32004" <member@ebay.com>][Date Tue, 17 May 2005 18:59:42 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\MSN\db\mpm32-msn-com.282 Mail: infected - 1 skipped

Here is a link about archived mail. If you have problems, please post (reply) back. Sometimes you have to compact files in order to permanently delete them but this is archived mail so I am not sure if this applies in this case.
http://belfiore.mvps.org/mail.htm
================
Please ignore this for now!

Please ignore this for now!
Download ADS Spy and save it to your Desktop.
- Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
- Run ADS Spy, select the "Full scan (all NTFS Drives)" option.
- Uncheck the "Ignore safe system info data streams" option.
- Uncheck the "Quick Scan" option.
- Finally, click "Scan the system for alternate data streams" button.
- If C:\WINDOWS\system32:huy32.sys is found, just highlight it by clicking onto it and then clicking "Remove selected stream"
- Exit the program.

Reboot your computer.
=============
Please run GMER and Kapersky again and reply with the results.

This post has been edited by Susan528: Jan 16 2007, 02:18 PM

Hi mpm32,

Please hold off on the ADSspy step for me. I am obtaining some other instructions from those who have provided input!

This post has been edited by Susan528: Jan 16 2007, 02:23 PM

No problem, I am at the office now so I couldn't do anything until I got home. I will await your new instructions.

Thanks I will get back to you!

Hello mgm32

Ejvindh who is expert working with rootkits would like to analyze the file. Please do the following:

Go to Start
Run and type Cmd
A window will open

Please type, or copy and paste the following bold command line (including the word type) in the window:
type C:\WINDOWS\system32:huy32.sys > c:\huy32.sys

Hit the Enter Key

Please go to the following link:
http://www.thespykiller.co.uk/forum/index.php?board=1.0
and scroll down so that you see the board with the headings -subjects, started by, replies, etc. You will see a tab “New Topic” at the right. Please click the “New Topic” tab.

Then scroll down. Please enter your name and email address.
Copy and paste “ADS rootkit for Ejvindh" the Subject line.

Copy and paste the following link into the box.
http://forums.tomcoyote.org/index.php?show...mp;#entry345395
You will see the “Attach” below and click the “Browse” button and navigate to the following file on your computer:
c:\huy32.sys

Then please Click “Post”.

Please let me know if you were able to do this.

==========
This will delete the temporary internet files which contain infected files.

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose:Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click
• No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE:If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

=============
Please set your system to show all files; please see here if you're unsure how to do this.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\Documents and Settings\Mark\Shared\(Crack) easyrecorder.ace<=file
C:\WINDOWS\em3kfiles\install.exe<=file
Exit Explorer, and reboot as normal afterwards.

================
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\MSN\db\mpm32-msn-com.280/[From "eBay Member: mpm32004" <member@ebay.com>][Date Thu, 5 May 2005 05:24:30 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\MSN\db\mpm32-msn-com.280 Mail: infected - 1 skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\MSN\db\mpm32-msn-com.282/[From "eBay Member: mpm32004" <member@ebay.com>][Date Tue, 17 May 2005 18:59:42 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\MSN\db\mpm32-msn-com.282 Mail: infected - 1 skipped

Here is a link about archived mail. If you have problems, please post (reply) back. Sometimes you have to compact files in order to permanently delete them but this is archived mail so I am not sure if this applies in this case.
http://belfiore.mvps.org/mail.htm
================
Please run Kapersky again and reply with the results.

This post has been edited by Susan528: Jan 17 2007, 10:21 AM